A significant flaw in Microsoft Teams' guest invitation system exposes users to security risks by bypassing their Defender for Office 365 protections. When a user accepts a guest invite, they enter an unprotected external tenant, leaving them vulnerable to attacks. Rhys Downing, a threat researcher at Ontinue, points out that recent features in Teams, like the ability to chat with any email address, create opportunities for attackers. They can easily set up a poorly secured tenant, lure users with fake invitations, and deliver malicious content that evades the victim's security measures. The issue stems from the architectural design of cross-tenant collaboration. Once a user joins a guest tenant, the hosting tenant’s security settings take precedence. If those settings are weak or nonexistent, all protections from the user's home tenant are nullified. This is not a software glitch but a fundamental aspect of how Microsoft has structured these collaborations. Julian Brownlow Davies from Bugcrowd highlights that the risk now lies in the interconnectedness of tenants and collaboration tools, rather than just within individual applications. To mitigate these risks, experts suggest treating external guest access as a critical trust boundary that requires careful management. Jason Soroko from Sectigo emphasizes the need for organizations to rethink their approach and implement stricter controls. Recommendations include restricting guest invitations to a vetted list of domains and disabling the default “chat with anyone” feature in Teams. These steps can help organizations better manage the inherent risks associated with cross-tenant collaborations and protect against potential threats.